Oh Lord, Microsoft agrees with open source community

The UK House of Lords Science and Technology Committee are currently investigating personal Internet security, something that would normally be a dull as dishwater parade of civil servants and former civil servants now consulting for private sector business giving boring ‘evidence’ to a committee of half asleep geriatrics. But something different caught my eye this time around, the fact that representatives of both Microsoft UK and the open source community were answering their Lordships questions, and amazingly seemed to be in broad agreement.

Of course, you would have to be at each other’s throats in something more of an Apple and Cisco manner not to be able to find common ground when it comes to the small matter of the UK police lacking the skills and expertise (not to mention financial resources – and unsurprisingly their Lordships didn’t mention financial resources) to be able to deal effectively with the current cyber-crime epidemic that is sweeping the nation.

Here’s what Jerry Fishenden, National Technology Officer for Microsoft UK, had to say on the subject of reporting cyber-crime: “We believe it is necessary to have as easy a reporting mechanism as possible so that when people are victims of cyber-crime or attempted cyber-crime there is a streamlined reporting structure and ideally one body with responsibility for receiving those complaints and having appropriate resources to investigate and potentially initiate prosecutions where appropriate. My understanding is that the United States does have a single point of reporting established by the FBI back in the late 1990s, the Internet Crime Complaints Centre, which takes some 10,000 plus complaints a year and has the authority and resources to actually look into those complaints….Establishing that type of scheme, as happened in the States, would also enable us to get a much better grip on the scale of the problem in the UK. If I walked in to a police station tomorrow to report an on-line phishing attack, would it be treated in the same way as an attempted pick-pocketing? Is that a model we want to move to or do we want to have cyber-crime handled at the centre?”

I can tell you what would happen, or at least what has happened to many people who have done just this. They are greeted with bemused indifference, a kind of ‘and you expect us to do what’ attitude that will come as no surprise to UK citizens who have enough difficulty in getting a police officer to attend a burglary in progress ‘we will send someone next week to take the details’ or apprehend yobs who have vandalized your property and you have cornered in your yard ‘better let them go sir, otherwise we’ll have to arrest you for kidnap’ let alone take a report of a phishing attack seriously. Our police have their hands tied by red tape and paperwork, are increasingly driven by financial targets and certainly the public perception is of a force that cares more about the easy money delivered by clocking a driver just over the speed limit (speed camera devices are installed across much of the UK road network) than apprehending ‘real’ criminals. While the focus is on criminalizing the motorist, rather than motoring after the criminal, I cannot see how the cyber-crime reporting situation can improve. Did I just rant then? Ooops.

Alan Cox, giving evidence as a representative of the open source community, seems to broadly agree with me in that he said “If you walk up to the desk sergeant at a typical police station…he does not understand the problems and there is nowhere else to go. We need something which deals with electronic crime and computers, either an understanding in police stations or we need a central contact point.” What he should also have said is that we need a political will to do something about nipping this crime-wave in the bud, regardless of the bottom line cost. What he should have pointed out is that a cost/value analysis is not the way to approach crime fighting, and sometimes it is the rule of law that matters more than the political spin.

Things got a little more interesting when the Microsoft man brought up the subject of spam: “one of the things that would be clearer would be if a spammer is found guilty you can have a clear set of damages set down in the law. For example, you have got the US legislation which gives you the concept of statutory damages in this instance, so you have a per-spam fine which can be held against the spammer. That would, I think, act as a very considerable deterrent against spammers.” This brought a response from their Lordships of whether Microsoft was actually more concerned with establishing market dominance by rushing out operating systems rather than ensuring their security. No surprise that a string denial was forthcoming from Mr. Fishenden, “I guess I would take almost the opposite view, we have been waiting five years for Windows Vista. I certainly do not think it is true that we have been rushing out new operating systems without due account of security.”

This opened the door to what we were all expecting from the start, a fist fight over which is better, Microsoft or open source software when it comes to security. Adam Laurie, director of The Bunker, a secure hosting data centre, struck the killer verbal blow: “from an open source perspective we believe that [open source] is more secure because it is subject to more scrutiny and peer review and so on. You can look at the code yourself and see if it is secure or not. The other issue with closed source is there are often commercial factors involved in whether or not they release security information or fix a problem. If they believe that they are the only people who know that there is this particular security problem they may choose to do some damage limitation or not to admit to the problem because it will damage their image too much. The open source world has no such limitations because we do not care, we have no liability, so as soon as an issue comes to light we will publish, and usually that will be within hours of problem coming to light.”

Well, just like the fantasy that the UK government will manage to stop the cyber-crime epidemic with committee meetings and junkets, so the fantasy that Microsoft and the open source community are the best of friends had to come to an end.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

And as usual things are misrepresented.
Microsoft just says they believe the accusations made against them are wrong, and the OSS world starts attacking Microsoft as usual.

You just have to end with an anti-Microsoft tone as usual don't you?

For the average user Linux is certainly not more secure than is Windows.
They lack the knowledge to do much more than install their system out of the box, and out of the box Windows beats Linux when it comes to security and ease of configuration.
The potential maximum security situation is for 99% of users completely irrelevant, as they're unable to achieve it.
Built-in operating system security is also irrelevant because the majority of cybercrime instances against home users consist of fraud (chain letters, spam promising goods which aren't delivered, eBay auctions that are too good to be true, things like that) or ID theft through email scams.

Operating systems don't protect you against your own stupidity (though IE7 tries with its phishing filter and things like that).

You might have ended your writeup on a less political/religiou tone than you did.
As it is (and I know you were quoting) you leave the unwary reader with a specific conclusion.
Whether deliberate (in which case very common but for that no better) or by accident, the conclusion you draw between the lines is agreement with the OSS zealots that Linux is inherently more secure than is Windows.